PGP in 15 minutes

What is PGP?

PGP is Pretty Good Privacy, a software program that does 3 things:
  1. Encrypts (scrambles) documents or email so that only your intended recipients can read them. Or PGP can encrypt messages so that only you can read them.
  2. Signs and seals digital documents in a way that proves that you wrote them, and that they haven't been tampered with.
  3. Deletes files so that they REALLY can't be un-deleted.

What version of PGP should I use?

If you're using PGP for commercial purposes in the USA, you will need to buy a copy from www.pgp.com
Non commercial Mac and Windows users should download version 6 or greater from www.pgpi.org.
People who like free software and the command line should go to www.gnupg.org for Gnu Privacy Guard.

PGP has been around for a while, and there are a LOT of different versions out there. Old versions (2.6) sometimes can't exchange messages with new versions (5, 6, GPG). There are still a lot of people who use 2.6 because that 's the only version that runs on their hardware or operating system.

How does PGP work?

Here's an accurate simplification, starting with a metaphor:
Imagine a drop safe like the one on the side of a bank. On the bottom you have a big door that opens with a key. On the top you have a rotating slot like the top of a post office box. Pretty much anybody can walk by, drop in cash and have it drop into the bottom of the safe. They can be certain that only the owner of the safe (who has the key) can unlock it.
Now imagine that we have a room full of safes. On the top of each safe is a publicly visible name and number . If you look me up, I'll be safe number 123 . So if you then go drop a message into safe number 123 , only I will be able to retrieve it.

Every body who uses PGP creates their own unique digital ID which is called a key pair. This key pair is built from of two large prime numbers which are related to each other by very clever math. One half of the key is called the public key, which is like the safe number in the example above. In order to have people send you encrypted messages, they will need to have a copy of your public key.

The other half is called the private key or the secret key. It's the same as the key the owner uses to unlock the safe. Messages are scrambled with the recipient's public key. Because of the clever math, nothing but the recipient's private key will be able to unscramble the message. Note that this means that the private key has to remain a secret. If you leave that key around, anybody will be able to unlock your mail.

Go look at the cryptography FAQ for a in-depth version.

How do I start using PGP ?

You have to go through these four steps:
  1. Generate your own digital ID / key pair.
    Here's a good quick guide to building a key pair in PGP version 5 or 6.
    For GPG, type gpg --genkey.

    You can go along with most of the default choices. When it asks you how long the key should be good for, pick some date about 6 weeks out. You're probably going to make mistakes with your first key, and it's nice to have them lapse quickly. When it asks for a passphrase, you should type in a 4 or 5 word sentence. Effectively, this passphrase is your signature. Go to The Passphrase FAQ if you want a lot more information on passphrases.

  2. Give your new public key to everyone who needs to send you secure messages
    When you're starting out, DON'T put your key up on a keyserver. Instead, make an ASCII (text) version of your public key.
    In Windows or Mac PGP , you can right click on your key and select copy. Then paste the result into an email you send to your friend.
    For GPG it's gpg -a --export yourname@youremail.com
  3. Get the public key of anyone you want to send mail to.
    Once they mail you a email containing their public key, you have to import it into PGP. Use your mouse to highlight the public key, including the whole section from ----BEGIN to BLOCK---- .You need to include all the "---"es. Copy the highlighted area into your clipboard. Then right click on the icon of your PGP program (on the bottom of your screen), and select "Add key from clipboard". Then select the Import option.
    For GPG, type gpg --import , then paste in the public key.
  4. Write mail and encrypt it with the recipient's public key.
    After you've written your mail, highlight the whole thing, and copy it into your clipboard. Then click on the PGP icon and select "Encrypt Clipboard". It will then prompt you to select the public key of the recipients. You want to select the names of all the people you're sending the email to. You should probably also include yourself, so you can decrypt the message yourself if something goes wrong. Select OK. PGP will then encrypt the clipboard. Go back to your mail program and paste. You should see a bunch of random letters bookended with ----. For example: ---- BEGIN (lots of random text) BLOCK---- . If you don't see that, you need to try again. Make sure that you don't still see the unencrypted message. Send the mail when all seems well.
    For GPG, type gpg -ear recipient1@example.com -r your-email@yourcompany.com >message.asc and paste in the message. Then you can attach the message.asc file, or paste it into the email. If gpg doesn't finish after you paste in the email, type CTRL-D.
  5. When the reply comes back, decrypt the message with your private key.
    This is the reverse of sending mail. Copy the entire received PGP block, from the ----BEGIN through BLOCK----, and cut it into your clipboard. Then right click on the PGP icon, and select "Decrypt/Verify". You can then paste the reply into notepad or any other word processor.

Is this all I need to know?

This is just how to use the software for encrypting and decrypting. Before you go on to other uses , you need to consider how to avoid being fooled by an impostor. Anybody can claim to be Napolean & may give you a PGP key that matches their name. The trick is to be able to separate the real general from the loonies. The way PGP takes care of this problem is by having people sign each other's keys once they've verified each other. This creates a "web of trust", whereby I can safely assume that this really is the dry cleaner if both my brother and my neighbor have signed the dry cleaner's key.

How do I verify a key?

Once someone has sent you a key, you can select the menu option for "Key Properties" from the Key menu ((( CAN YOU ALSO RIGHT CLICK ON IT? ))). For PGP 2.6 that's pgp -kvc . For GPG that's gpg -kc
There are 3 pieces of data here to verify:
  1. fingerprint, for example AD 23 A1 90 B1 2B AF BA 44 49 16 7E 3D A0 F3 C3
  2. key length, for example 1023 Bits
  3. KeyID, for example D79B4A39
Call up your friend and have her read you the properties of her key, while you check it out yourself. If all is well, you can move on to signing your copy of her public key. Many people put their fingerprint on business cards as a way of jump starting this process. All you have to do is know that the face and the key go together. You don't have to worry about if they're a good person or not.

Sooner or later, you're going to receive a public key that's been signed by a couple friends of yours. If you've already signed your friends keys, PGP will automatically trust the newcomer's key.

How do I sign someone else's key?

In PGP 2.6 or GPG, it's gpg -ks . In PGP 5 or 6, you should open the PGPkeys program, then select the key you want to sign. Go to the Keys menu, then choose Sign. Click on the Allow signature to be exported box. Then click Ok.

Once you've signed someone's key, you should give it back to them, so that they can use your signature as a reference. You can send their public key using the same techniques you used to give them your public key.

What is a keyserver?

A keyserver is a database of people's public keys put up on the Internet to make it simpler to download other people's keys. There really great, except for one thing: There is no way to remove a key from a keyserver. ( But you do get most of that effect by revoking the key ) If you lose your PGP passphrase & have to generate a new key, there are going to be 2 keys on the keyserver, and people are going to have trouble picking the right one. Since you're likely to make some mistakes as you start, don't put your keys on a key server until you're confident.

How to send a key to a keyserver (certificate server) ?

PGP 2.6 doesn't do keyservers. You'll have to do everything by hand using a web interface, for example http://www.tenhand.com/pgp.

GPG does support keyservers, but in an irritating way. It will only ask for or send key ids, not user names. So you have to look up your key id before sending. ( gpg -kc yourname ) Then you can send the key with gpg --keyserver www.tenhand.com --send-keys 0xkeyid . You have to add 0x onto the front of the keyid name.

PGP 5 through 7 make sending keys almost too easy, since they use some very public keyservers by default. ( This is good if you know what you're doing).
To send keys in PGP, Open PGP Keys, click on the public key you want to send, then click on the Server menu and select the server you want to send to on the Send To sub menu.

Getting keys from a keyserver (certificate server)

For PGP 2.6 and GPG, just download the key by hand from the keyserver's web interface. (eg http://pgp.mit.edu or http://www.tenhand.com/pgp. Then you can cut and paste it in as though you got it in the mail.

For PGP 5 through 7, open PGP keys, Click on the Server menu, and then select Search. Choose the server you want to search on, and type in what you want to search for (username, keyid) , then click on Search. To import the keys, drag them onto the PGPkeys main window.

Revoking a key

If you lose your private key, it would be nice to be able to force people to stop sending mail with it. You can do this, but only if you've created a key revocation certificate in advance. If you send the key revocation to a keyserver, it will prevent other people from continuing to use that key.

When you want to revoke your key, import the revocation certificate (just like anybody else's public key). This will then modify your keypair. Send the modified public key to the keyserver, and everyone will be able to see that your key has been revoked.
Generating a revocation certificate for GPG is simple: just type gpg -a --gen-revoke username > revoke.asc . Then save the revoke.asc file someplace safe.

For PGP , generating a revocation is actually a big hassle. You have to back up your pgp keyrings, then revoke the key. Then backup the revoked key someplace, then restore your working keys. You can revoke the key by clicking on the key you want to revoke, then choosing Revoke from the Keys menu.

Signing files

By FAR the easiest way to sign a document is to click on the "encrypt & sign" option when you're sending someone else an encrypted document. For PGP 2.6 or GPG, just add -sa to your command line.
The next best option is to save the file you want to sign, and then make a detached signature of that file. You will then need to email the recipient both the original file, and the separate signature file.
For GPG, the syntax is gpg -a --detach-sign [filename]

Wiping files

This is probably the simplest part of PGP. For newer versions of PGP, the PGP-Wipe program should be fairly self explanetory. For PGP 2.6, you can use pgp -w [filename], but it doesn't do a good job of wiping. GPG doesn't wipe files by default.

More reading

If you've got more than 15 minutes, go look at The international PGP home site where all the manuals live or PGP for dummies or PGP for absolute beginners or The PGP FAQ or 101 things not to do with PGP or http://www.mccune.cc/PGP.html